Since its conception eight years ago this month and subsequent rollout, the Federal Risk and Authorization Management Program (FedRAMP) has delivered much-needed standardization to the complex task of ensuring security for federal cloud computing. A framework for assessing the security of cloud services and products against a baseline of controls, FedRAMP brings a measure of consistency and trust as agencies pour more than $20 billion into the cloud – more than 25-percent of all federal IT spending.
As government solidifies its embrace of the cloud, FedRAMP has endured a steep learning curve. Analysts have identified several pain points: the list of needs includes infrastructure upgrades and more transparency; streamlined certification and cost reductions for continuous monitoring; and more harmonization of standards, especially when Department of Defense (DoD) programs are involved.
To their credit, FedRAMP administrators have delivered ongoing improvements and clarifications, including a recent Agency Authorization Playbook of best practices and role optimization for working effectively with third party assessment organizations (3PAOs).
FedRAMP also recently invited industry suggestions for how to mature and automate more elements of the FedRAMP process. Since they asked, here are a few thoughts from our perspective as a provider of solutions and services for continuous security assurance of individuals, systems and information.
Fewer Hassles, More Templates and Automation
For all the guidance and resources, today’s FedRAMP experience remains a costly and byzantine process that can take well over a year. The pain points mentioned above stymie progress and represent barriers to entry for smaller companies and new players in the market.
How do we fix this? Wherever possible, we should take the FedRAMP toolkit beyond simple process advice, and into the realm of “cheat-sheets” and tips to save time and money. Templates, for instance, can simplify everything from registration of projects and building a body of evidence – all the way to assessments, authorizations and continuous monitoring. As just one example, companies could use a self-assessment template to save some of the time and roughly $50,000 or so of budget they’d ordinarily devote for a 3PAO to do such an assessment.
FedRAMP deserves kudos for seeking more automation throughout the process; and nowhere is this more useful than in so-called “inheritance” from FedRAMP-approved cloud service providers (CSPs), such as Amazon Web Services and Microsoft Azure. New FedRAMP applicants that rely on other services with an active authority to operate (ATO) benefit greatly anytime they can inherit information from those approved services, eliminating redundant validation of compliance.
It sounds like common sense, and it does happen to some extent today. But there’s room for automation to further simplify and democratize the practice to more FedRAMP applicants.
The Future of FedRAMP
If all that sounds like a tall order, it is. That’s why improvements must be strategic, ongoing and collaborative across the entire FedRAMP ecosystem of agencies, CSPs, 3PAOs and other stakeholders. As proud as we are of our company, no single vendor is going to orchestrate the FedRAMP process. The future will be increasingly defined by best-of-breed, collaborative innovation across that stakeholder ecosystem – with lots of incubation and piloting as the best ideas get tested, scaled and adopted more broadly.
What will that future ultimately look like? We see a world where complexity is removed as a barrier to entry and shorter application lifecycles mean solutions are more up to date. The future should include automated documentation that simplifies the burden of governance, with digital platforms enabling seamless collaboration among agencies, applicants and 3PAOs. Finally, we need to arrive at a place where lower cost brings more competition and innovation as more vendors become willing to go through the process to begin with.
The good news is we’re already making progress along this path to a better FedRAMP ecosystem. Many of the do-it-yourself templates mentioned are a reality.
Most importantly, FedRAMP administrators seem increasingly receptive to piloting new techniques and process improvements. As time goes by, we’ll hopefully see even more collaboration in orchestrating and automating the ATO process with FedRAMP – to the benefit of agencies and, ultimately, the citizens they serve.
Milica Green is a compliance subject matter expert for the Telos Corporation.